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Abstract 



fSl i Two misuses of one-time pad in improving the efficiency of quantum communication 

^ ■ are pointed out. One happens when using some message bits to encrypt others, the 

f-*) . other exists because the key bits are not truly random. Both of them result in the 

I decrease of security. Therefore, one-time pad should be used carefully in designing 

pi 1' quantum communication protocols. 
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The aim of cryptography is to ensure that a secret message is transmitted 
between two users in a way that any eavesdropper cannot read it. In classical 
cryptography, it is generally accepted that one-time pad [1], which utilizes a 
previously shared secret key to encrypt the message transmitted in the public 
channel, is the only proved secure cryptosystem [2]. However, it is difficult 
for all existing classical cryptosystems to establish a random key with un- 
conditional security between the users. Fortunately, quantum key distribution 
(QKD) [3,4,5,6], the approach using quantum mechanics principles for the dis- 
tribution of secret key, can overcome this obstacle skillfully. Since both QKD 
and one-time pad have proved security [7,8,9,10], the cryptosystem of "QKD 
& one-time pad" is a perfect one when the security is concerned. 



* Corresponding author. 

Email address: hzpe@sohu.com (Fei Gao). 



Preprint submitted to Elsevier Science 



1 February 2008 



Quantum secure direct communication (QSDC) [11,12,13,14] is another branch 
of quantum cryptography. Different from QKD, QSDC allows the sender trans- 
mits directly the secret (not a random key) to the receiver in a deterministic 
and secure manner. If it is designed carefully, a QSDC protocol can also attain 
unconditional security [15]. 

With the fast development of quantum cryptography, more and more novel 
QKD and QSDC protocols were proposed. An important criterion of a protocol 
is its efficiency. In the work of scheme designing, a higher efficiency is the goal 
the scheme-designers always pursue. However, the feasibility of some ways 
that lead to high efficiency should be reexamined. In this Letter we choose 
two typical protocols to discuss, where the alleged high efficiency is illusory. 
That is, such an unrealistic efficiency would result in insecurity. 

Recently, a semi-direct quantum secure communication protocol was presented 
in Rcf. [16]. In this protocol, three users Alice, Bob, and Charlie can exchange 
one bit of message securely by using one GHZ-state. That is, each of them can 
send one bit of message to the other two person while the outside eavesdrop- 
per, say Eve, can never obtain any information about these bits. Setting aside 
the particular process of this part of protocol, we only discuss its way used 
to improve the efficiency. In the following discussion, we assume that the bits 
transmitted by quantum process are unconditionally secure. As we can see, the 
efficiency of the quantum process is one bit per GHZ-state. To make it more 
efficient, the users employ the quantum process to send the odd- numbered se- 
cret bits but a classical one to send the even-numbered bits, namely, using the 
odd-numbered bits to encrypt the even-numbered ones. For example, suppose 
Alice's secret bit string is {ai, 02, ^3, oat}. Alice first sends ai to Bob and 
Charlie by quantum process. Afterwards, Alice calculates a^^ = Oi © 02 (© de- 
notes the addition modulo 2) and publicly broadcasts a^. With the knowledge 
of oi. Bob and Charlie can deduce 02 just by 02 = © oi. On the contrary, 
as an outside eavesdropper. Eve cannot obtain any information about 02 since 
she does not know ai. Similarly, Alice sends 03 by quantum process and 
by classical one, and so on. As the author of Ref. [16] pointed out, each of 
the odd-numbered secret bits "is used only once in the encoding so their con- 
fidentiality has not been leaked out at all, in accordance with the one-time 
pad." By this way, the efficiency of whole protocol is doubled to 2 bits per 
GHZ-state. 

Indeed, the above process to send the even-numbered secret bits looks like 
that of one-time pad. However, it is really not so. Consider the scenario 
where Alice and Bob share two secure key bits {ki,k2} and Alice wants to 
send two confidential bits {^1,^2} to Bob. In a real one-time pad, Alice en- 
crypts the plaintext {pi,P2} with the key bits {ki, ^2}? obtaining the ciphertext 
{ci, C2} = {pi © ki,p2 © k2}. Afterwards, Alice sends {ci, C2} to Bob publicly. 
With the knowledge of {ki,k2}, Bob can obtain the plaintext by the decryp- 
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tion {^1,^2} = {ci © ki,C2 © ^2}- On the contrary, Eve cannot extract any 
information about the plaintext from {01,02}. As a resuh, Ahce can transmit 
2 bits to Bob securely by the above process. Differently, in Ref. [16], Alice 
uses the first message bit Oi instead of a key bit to encrypt the second one 
a2 and broadcasts the ciphertext a^, which results in an invalid transmission 
from the perspective of information theory and cryptography. That is, Eve can 
attain some information about the message bits {ai, 02} from the declared a^. 
For example, ai = 0. Then Eve knows either {01,02} = 00 or {01,02} = 11, 
which contains only logg 2 = 1 bit of information for her. When o^^ = 1 we will 
draw the similar conclusion. Therefore, from the declared Eve can obtain 1 
bit of information about the two message bits though she docs not know the 
particular value of them. Consequently, every time Alice sends two message 
bits according to the protocol in Ref. [16], Bob obtains all the 2 bits of infor- 
mation while Eve can also get 1. Namely, in essence, Ahce just transmits 1 bit 
of information to Bob securely. Prom this point of view, the way to improve 
efficiency in Ref. [16] is null. 

Things do not come singly but in pairs. Not long ago, Li et al. presented 
a QKD scheme [17] based on entanglement swapping [18]. In this protocol, 
Alice and Bob previously shared enough EPR pairs in known states. With- 
out loss of generality, consider two pairs \^~^)ab — l/v^(|00) + |11)) and 
|^+)34^ = l/v^(|01) + |10)), where the superscripts 1, 2, 3, 4 denote the dif- 
ferent particles. Alice holds particles 1, 3 and Bob controls 2, 4. When they 
distribute key bits, Alice and Bob perform entanglement swapping between 
these two EPR pairs. According to the rule of entanglement swapping, each 
of them knows not only his/her measurement result but also his/her counter- 
part's. The author of Ref. [17] alleged that these two results can bring four 
key bits to Alice and Bob. For example, when Alice performs a Bell mea- 
surement on particles 1 and 3 she gets 1^1'^)^^^, she can deduce that Bob's 
measurement outcome must be If four EPR states |$+), |$~), |^"^), 

and 1^^) represent 00, 01, 10, and 11 respectively, Alice will obtain four key 
bits 1000, where 10 comes from |^^)^^^ and 00 corresponds to l^"*")^^. At the 
same time. Bob can attain these four key bits by similar deduction. Therefore, 
four particles bring four key bits, which means a double efficiency of that in 
BB84 protocol [3]. 

However, the efficiency may not be so high. As we know, for two given EPR 
pairs, the two measurement results in entanglement swapping are not com- 
pletely random. On the contrary, they have strong correlation. Consider the 
above example again, because 



+ \^^)]^b\^^)1'b + \^-yiB\^-fA'B} (1) 
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anyone, including Eve, who knows the initial state |^''")abI^'^)ab '^^^ draw a 
conclusion that Alice and Bob's outcome pair must be one of {|$^)abI^^)ab) 
I^")abI*")ab, \^^)ab\^^)ab: I^")abI*")ab} randomly. Therefore, Eve knows 
the key bits Alice and Bob obtain should be one of {0010, 0111, 1000, 1101} 
with equal probability while other twelve results (such as 0000, 0100, etc) 
never appear, which contains only I = | log 1 = 2 bits of information. 

As a result, if Alice encrypts her secret by using above results as four key 
bits of one-time pad, it would be leaked partly to Eve when the ciphertext 
is transmitted publicly. For example, let {pi,P2,P3,P4,} and {ki, k2, k^, k4} de- 
note four bits of plaintext and key respectively. Then the ciphertext equals 
{ci, C2, C3, C4} = {pi © ki,p2 ® k2,P3 © ks,p4: © k^} . Observing the possible 
values of the above key bits, we can see that ki (B k^ = 1 and k2 (B k^ = al- 
ways hold. Sequently, when the cipertext is announced. Eve always know that 
Pi ©Pa = ci © fci © C3 © fcs = ci © C3 © 1, and p2 ©P4 = C2 © A;2 © C4 © A;4 = C2 © C4, 
which implies a two-bit leakage of the secret. In a word, to attain security, the 
efficiency of the protocol in Ref. [17] should be 2 bits per entanglement swap- 
ping, but not the alleged 4. 

Both the above errors are related to the right understanding of one-time pad. 
It was shown, by Shannon [2] , that the one-time pad which meets the follow- 
ing three conditions is perfectly secure: (i) the key is truly random, (ii) the 
key has the same length as the message, (iii) the key is never reused. In Ref. 
[16], the user use a message bit, but not a key bit, to encrypt another one. In 
Ref. [17], the key bits are correlated but not truly random. Neither of them 
is a real one-time pad. Therefore, we should know not only one-time pad can 
achieve perfect security but also the rcqTiircmcnts to possess this merit. We 
emphasize that unconditional security is a crucial feature of quantum cryp- 
tography (generally QKD & one-time pad) and it should never be sacrificed 
to improve the performance of other aspects such as efficiency. 

As we analyzed above, fake one-time pad cannot be used to improve the 
efficiency of a quantum communication protocol. In fact the efficiency was 
bounded by Holeve quantity [19], which implies that n qubits cannot be used 
to transmit more than n bits of classical information. So, 1 key bit per qubit is 
already the full efficiency. In a 2-level system it equals 1 bit per particle (here 
we do not discuss rf-level quantum system [20,21,22], which can certainly reach 
higher efficiency than a 2-level one). For example, with the qubit storage facil- 
ity, the delayed-choice BB84 protocol [23] can achieve full efficiency in theory. 
From this point of view, the alleged high efficiencies in both Ref. [16] and [17] 
are illusory because they are even exceed a maximal value which is allowed by 
quantum mechanics. 

In summary, we point out two misuses of one-time pad in improving the effi- 
ciency of quantum communication [16,17]. Indeed, one-time pad can accom- 
plish perfect security. But we should always remember its necessary conditions 
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when we utilize it in quantum cryptography. Otherwise, the quantum protocol 
may become insecure. 
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